Introducing the PassiveTotal App for Splunk

April 6, 2016, Team RiskIQ

Users have asked, and now it’s here.

With the all-new PassiveTotal App for Splunk, organizations can now bring context to external threats, analyze attack data, and correlate that information with their internal event data to pinpoint and remediate threats—all in one place.

How does it work?

To automate security investigations into suspicious domains or IP addresses, the PassiveTotal App for Splunk searches the large and diverse datasets within PassiveTotal by RiskIQ services (including Passive DNS, WHOIS, Passive SSL, Tags, Classifications, and Host Attributes) and local Splunk repositories simultaneously to reveal any matching events. This capability enables researchers to pivot from indicator to indicator and, quite easily, identify potentially malicious external infrastructures while determining if they are present in the Splunk index.

It’s worth noting that by automatically tracing the source of suspicious activity to their infrastructures in a single, intuitive application, this unification of external threat intelligence services in PassiveTotal with enterprise Splunk repositories also dramatically reduces the time spent on security incident investigation and remediation.

What it looks like

In a sample use case, members of a company’s security center (SOC) identified a potential exposure to a malicious infrastructure by performing an initial triage inside the PassiveTotal platform. Using the PassiveTotal App for Splunk, security analysts correlated internal events with PassiveTotal intelligence and seamlessly escalated their findings to the incident investigations team for detailed analysis and remediation.

By logging into Splunk and using the PassiveTotal app, the researchers had precise information and relevant context from their SOC team. Clicking on the malicious domain in question conducted an instant search against local Splunk events, and data from PassiveTotal services, including passive DNS, historical SSL, WHOIS and tracking attributes. Although they found no internal matching events on their initial inspection, a pivot on passive DNS data did reveal a resolving IP address on internal weblogs. Without leaving Splunk, researchers were able to determine that the IP address connected to a malicious domain associated with a known bad actor.

How to get started

The PassiveTotal Splunk app is hosted in two locations: Splunkbase and PassiveTotal’s Github repository. In both places, we include detailed documentation on how to install the app into your Splunk environment. While we offer the code on Github, we do recommend using the “Apps” menu from within Splunk directly as it handles all of the installation with one click.

Once installed, you will need two things handy: your PassiveTotal username (email address) and API key. Note that the Splunk app automates a lot of query lookups against our API, so if you’re not an enterprise customer, you’ll likely exhaust your daily query limit incredibly fast. If this happens, don’t worry – send us a message, and we can boost your account, so you can see what the app is all about.